Skip to main content

Chamilo Lms CVE-2025-59544

MEDIUM
Missing Authorization (CWE-862)
2026-03-06 security-advisories@github.com
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 06, 2026 - 04:16 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. This issue has been patched in version 1.11.34.

AnalysisAI

Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. [CVSS 4.3 MEDIUM]

Technical ContextAI

Classified as CWE-862 (Missing Authorization). Affects Chamilo Lms. Chamilo is a learning management system. Prior to version 1.11.34, the functionality for the user to update the category does not implement authorization checks for the "category_id" parameter which allows users to update the category of any user by replacing the "category_id" parameter. This issue has been patched in version 1.11.34.

RemediationAI

Fixed in version 1.11.34.. Restrict network access to the affected service where possible.

CVE-2025-50187 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

CVE-2025-50192 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database ex

CVE-2025-50190 CRITICAL POC
9.8 Mar 02

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

CVE-2021-35414 CRITICAL POC
9.8 Dec 03

Chamilo LMS v1.11.x was discovered to contain a SQL injection via the doc parameter in main/plagiarism/compilatio/upload

CVE-2019-13082 CRITICAL POC
9.8 Jun 30

Chamilo LMS 1.11.8 and 2.x allows remote code execution through an lp_upload.php unauthenticated file upload feature. Ra

CVE-2025-50199 CRITICAL POC
9.1 Mar 02

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning p

CVE-2023-4220 MEDIUM POC
6.1 Nov 28

Unrestricted file upload in big file upload functionality in `/main/inc/lib/javascript/bigupload/inc/bigUpload.php` in C

CVE-2025-50189 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. [CVSS 8.8 HIGH]

CVE-2025-52468 HIGH POC
8.8 Mar 02

Chamilo is a learning management system. Prior to version 1.11.30, an input validation vulnerability exists when importi

CVE-2024-30616 HIGH POC
8.8 Nov 04

Chamilo LMS 1.11.26 is vulnerable to Incorrect Access Control via main/auth/profile. Rated high severity (CVSS 8.8), thi

CVE-2023-4226 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/work.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers wit

CVE-2023-4225 HIGH POC
8.8 Nov 28

Unrestricted file upload in `/main/inc/ajax/exercise.ajax.php` in Chamilo LMS <= v1.11.24 allows authenticated attackers

Share

CVE-2025-59544 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy